projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
use condvar broadcasts to signal threads waiting for an IP, there might be more than one
[strongswan.git] / src / charon / sa / ike_sa_manager.c
1 /*
2 * Copyright (C) 2005-2006 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 #include <pthread.h>
20 #include <string.h>
21
22 #include "ike_sa_manager.h"
23
24 #include <daemon.h>
25 #include <sa/ike_sa_id.h>
26 #include <bus/bus.h>
27 #include <utils/linked_list.h>
28 #include <crypto/hashers/hasher.h>
29
30 typedef struct entry_t entry_t;
31
32 /**
33 * An entry in the linked list, contains IKE_SA, locking and lookup data.
34 */
35 struct entry_t {
36
37 /**
38 * Number of threads waiting for this ike_sa_t object.
39 */
40 int waiting_threads;
41
42 /**
43 * Condvar where threads can wait until ike_sa_t object is free for use again.
44 */
45 pthread_cond_t condvar;
46
47 /**
48 * Is this ike_sa currently checked out?
49 */
50 bool checked_out;
51
52 /**
53 * Does this SA drives out new threads?
54 */
55 bool driveout_new_threads;
56
57 /**
58 * Does this SA drives out waiting threads?
59 */
60 bool driveout_waiting_threads;
61
62 /**
63 * Identifiaction of an IKE_SA (SPIs).
64 */
65 ike_sa_id_t *ike_sa_id;
66
67 /**
68 * The contained ike_sa_t object.
69 */
70 ike_sa_t *ike_sa;
71
72 /**
73 * hash of the IKE_SA_INIT message, used to detect retransmissions
74 */
75 chunk_t init_hash;
76
77 /**
78 * remote host address, required for DoS detection
79 */
80 host_t *other;
81
82 /**
83 * message ID currently processing, if any
84 */
85 u_int32_t message_id;
86 };
87
88 /**
89 * Implementation of entry_t.destroy.
90 */
91 static status_t entry_destroy(entry_t *this)
92 {
93 /* also destroy IKE SA */
94 this->ike_sa->destroy(this->ike_sa);
95 this->ike_sa_id->destroy(this->ike_sa_id);
96 chunk_free(&this->init_hash);
97 DESTROY_IF(this->other);
98 free(this);
99 return SUCCESS;
100 }
101
102 /**
103 * Creates a new entry for the ike_sa_t list.
104 */
105 static entry_t *entry_create(ike_sa_id_t *ike_sa_id)
106 {
107 entry_t *this = malloc_thing(entry_t);
108
109 this->waiting_threads = 0;
110 pthread_cond_init(&this->condvar, NULL);
111
112 /* we set checkout flag when we really give it out */
113 this->checked_out = FALSE;
114 this->driveout_new_threads = FALSE;
115 this->driveout_waiting_threads = FALSE;
116 this->message_id = -1;
117 this->init_hash = chunk_empty;
118 this->other = NULL;
119
120 /* ike_sa_id is always cloned */
121 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
122
123 /* create new ike_sa */
124 this->ike_sa = ike_sa_create(ike_sa_id);
125
126 return this;
127 }
128
129
130 typedef struct private_ike_sa_manager_t private_ike_sa_manager_t;
131
132 /**
133 * Additional private members of ike_sa_manager_t.
134 */
135 struct private_ike_sa_manager_t {
136 /**
137 * Public interface of ike_sa_manager_t.
138 */
139 ike_sa_manager_t public;
140
141 /**
142 * Lock for exclusivly accessing the manager.
143 */
144 pthread_mutex_t mutex;
145
146 /**
147 * Linked list with entries for the ike_sa_t objects.
148 */
149 linked_list_t *ike_sa_list;
150
151 /**
152 * RNG to get random SPIs for our side
153 */
154 rng_t *rng;
155
156 /**
157 * SHA1 hasher for IKE_SA_INIT retransmit detection
158 */
159 hasher_t *hasher;
160
161 /**
162 * reuse existing IKE_SAs in checkout_by_config
163 */
164 bool reuse_ikesa;
165 };
166
167 /**
168 * Implementation of private_ike_sa_manager_t.get_entry_by_id.
169 */
170 static status_t get_entry_by_id(private_ike_sa_manager_t *this,
171 ike_sa_id_t *ike_sa_id, entry_t **entry)
172 {
173 enumerator_t *enumerator;
174 entry_t *current;
175 status_t status;
176
177 /* create enumerator over list of ike_sa's */
178 enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
179
180 /* default status */
181 status = NOT_FOUND;
182
183 while (enumerator->enumerate(enumerator, &current))
184 {
185 if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
186 {
187 DBG2(DBG_MGR, "found entry by both SPIs");
188 *entry = current;
189 status = SUCCESS;
190 break;
191 }
192 if (ike_sa_id->get_responder_spi(ike_sa_id) == 0 ||
193 current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0)
194 {
195 /* seems to be a half ready ike_sa */
196 if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) ==
197 ike_sa_id->get_initiator_spi(ike_sa_id)) &&
198 (current->ike_sa_id->is_initiator(ike_sa_id) ==
199 ike_sa_id->is_initiator(current->ike_sa_id)))
200 {
201 DBG2(DBG_MGR, "found entry by initiator SPI");
202 *entry = current;
203 status = SUCCESS;
204 break;
205 }
206 }
207 }
208
209 enumerator->destroy(enumerator);
210 return status;
211 }
212
213 /**
214 * Implementation of private_ike_sa_manager_t.get_entry_by_sa.
215 */
216 static status_t get_entry_by_sa(private_ike_sa_manager_t *this,
217 ike_sa_t *ike_sa, entry_t **entry)
218 {
219 enumerator_t *enumerator;
220 entry_t *current;
221 status_t status;
222
223 enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
224
225 /* default status */
226 status = NOT_FOUND;
227
228 while (enumerator->enumerate(enumerator, &current))
229 {
230 /* only pointers are compared */
231 if (current->ike_sa == ike_sa)
232 {
233 DBG2(DBG_MGR, "found entry by pointer");
234 *entry = current;
235 status = SUCCESS;
236 break;
237 }
238 }
239 enumerator->destroy(enumerator);
240
241 return status;
242 }
243
244 /**
245 * Implementation of private_ike_sa_manager_s.delete_entry.
246 */
247 static status_t delete_entry(private_ike_sa_manager_t *this, entry_t *entry)
248 {
249 enumerator_t *enumerator;
250 entry_t *current;
251 status_t status;
252
253 enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
254
255 status = NOT_FOUND;
256
257 while (enumerator->enumerate(enumerator, &current))
258 {
259 if (current == entry)
260 {
261 /* mark it, so now new threads can get this entry */
262 entry->driveout_new_threads = TRUE;
263 /* wait until all workers have done their work */
264 while (entry->waiting_threads)
265 {
266 /* wake up all */
267 pthread_cond_broadcast(&(entry->condvar));
268 /* they will wake us again when their work is done */
269 pthread_cond_wait(&(entry->condvar), &(this->mutex));
270 }
271
272 DBG2(DBG_MGR, "found entry by pointer, deleting it");
273 this->ike_sa_list->remove_at(this->ike_sa_list, enumerator);
274 entry_destroy(entry);
275 status = SUCCESS;
276 break;
277 }
278 }
279 enumerator->destroy(enumerator);
280 return status;
281 }
282
283 /**
284 * Wait until no other thread is using an IKE_SA, return FALSE if entry not
285 * acquireable
286 */
287 static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry)
288 {
289 if (entry->driveout_new_threads)
290 {
291 /* we are not allowed to get this */
292 return FALSE;
293 }
294 while (entry->checked_out && !entry->driveout_waiting_threads)
295 {
296 /* so wait until we can get it for us.
297 * we register us as waiting. */
298 entry->waiting_threads++;
299 pthread_cond_wait(&(entry->condvar), &(this->mutex));
300 entry->waiting_threads--;
301 }
302 /* hm, a deletion request forbids us to get this SA, get next one */
303 if (entry->driveout_waiting_threads)
304 {
305 /* we must signal here, others may be waiting on it, too */
306 pthread_cond_signal(&(entry->condvar));
307 return FALSE;
308 }
309 return TRUE;
310 }
311
312 /**
313 * Implementation of private_ike_sa_manager_t.get_next_spi.
314 */
315 static u_int64_t get_next_spi(private_ike_sa_manager_t *this)
316 {
317 u_int64_t spi;
318
319 this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi);
320 return spi;
321 }
322
323 /**
324 * Implementation of of ike_sa_manager.checkout.
325 */
326 static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
327 {
328 ike_sa_t *ike_sa = NULL;
329 entry_t *entry;
330
331 DBG2(DBG_MGR, "checkout IKE_SA, %d IKE_SAs in manager",
332 this->ike_sa_list->get_count(this->ike_sa_list));
333
334 pthread_mutex_lock(&(this->mutex));
335 if (get_entry_by_id(this, ike_sa_id, &entry) == SUCCESS)
336 {
337 if (wait_for_entry(this, entry))
338 {
339 DBG2(DBG_MGR, "IKE_SA successfully checked out");
340 entry->checked_out = TRUE;
341 ike_sa = entry->ike_sa;
342 }
343 }
344 pthread_mutex_unlock(&this->mutex);
345 charon->bus->set_sa(charon->bus, ike_sa);
346 return ike_sa;
347 }
348
349 /**
350 * Implementation of of ike_sa_manager.checkout_new.
351 */
352 static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
353 {
354 entry_t *entry;
355 ike_sa_id_t *id;
356
357 if (initiator)
358 {
359 id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
360 }
361 else
362 {
363 id = ike_sa_id_create(0, get_next_spi(this), FALSE);
364 }
365 entry = entry_create(id);
366 id->destroy(id);
367 pthread_mutex_lock(&this->mutex);
368 this->ike_sa_list->insert_last(this->ike_sa_list, entry);
369 entry->checked_out = TRUE;
370 pthread_mutex_unlock(&this->mutex);
371 DBG2(DBG_MGR, "created IKE_SA, %d IKE_SAs in manager",
372 this->ike_sa_list->get_count(this->ike_sa_list));
373 return entry->ike_sa;
374 }
375
376 /**
377 * Implementation of of ike_sa_manager.checkout_by_message.
378 */
379 static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
380 message_t *message)
381 {
382 entry_t *entry;
383 ike_sa_t *ike_sa = NULL;
384 ike_sa_id_t *id = message->get_ike_sa_id(message);
385 id = id->clone(id);
386 id->switch_initiator(id);
387
388 DBG2(DBG_MGR, "checkout IKE_SA by message, %d IKE_SAs in manager",
389 this->ike_sa_list->get_count(this->ike_sa_list));
390
391 if (message->get_request(message) &&
392 message->get_exchange_type(message) == IKE_SA_INIT)
393 {
394 /* IKE_SA_INIT request. Check for an IKE_SA with such a message hash. */
395 enumerator_t *enumerator;
396 chunk_t data, hash;
397
398 data = message->get_packet_data(message);
399 this->hasher->allocate_hash(this->hasher, data, &hash);
400 chunk_free(&data);
401
402 pthread_mutex_lock(&this->mutex);
403 enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
404 while (enumerator->enumerate(enumerator, &entry))
405 {
406 if (chunk_equals(hash, entry->init_hash))
407 {
408 if (entry->message_id == 0)
409 {
410 enumerator->destroy(enumerator);
411 pthread_mutex_unlock(&this->mutex);
412 chunk_free(&hash);
413 id->destroy(id);
414 DBG1(DBG_MGR, "ignoring IKE_SA_INIT, already processing");
415 return NULL;
416 }
417 else if (wait_for_entry(this, entry))
418 {
419 DBG2(DBG_MGR, "IKE_SA checked out by hash");
420 entry->checked_out = TRUE;
421 entry->message_id = message->get_message_id(message);
422 ike_sa = entry->ike_sa;
423 }
424 break;
425 }
426 }
427 enumerator->destroy(enumerator);
428 pthread_mutex_unlock(&this->mutex);
429
430 if (ike_sa == NULL)
431 {
432 if (id->get_responder_spi(id) == 0 &&
433 message->get_exchange_type(message) == IKE_SA_INIT)
434 {
435 /* no IKE_SA found, create a new one */
436 id->set_responder_spi(id, get_next_spi(this));
437 entry = entry_create(id);
438
439 pthread_mutex_lock(&this->mutex);
440 this->ike_sa_list->insert_last(this->ike_sa_list, entry);
441 entry->checked_out = TRUE;
442 entry->message_id = message->get_message_id(message);
443 pthread_mutex_unlock(&this->mutex);
444 entry->init_hash = hash;
445 ike_sa = entry->ike_sa;
446 }
447 else
448 {
449 chunk_free(&hash);
450 DBG1(DBG_MGR, "ignoring message, no such IKE_SA");
451 }
452 }
453 else
454 {
455 chunk_free(&hash);
456 }
457 id->destroy(id);
458 charon->bus->set_sa(charon->bus, ike_sa);
459 return ike_sa;
460 }
461
462 pthread_mutex_lock(&(this->mutex));
463 if (get_entry_by_id(this, id, &entry) == SUCCESS)
464 {
465 /* only check out if we are not processing this request */
466 if (message->get_request(message) &&
467 message->get_message_id(message) == entry->message_id)
468 {
469 DBG1(DBG_MGR, "ignoring request with ID %d, already processing",
470 entry->message_id);
471 }
472 else if (wait_for_entry(this, entry))
473 {
474 ike_sa_id_t *ike_id = entry->ike_sa->get_id(entry->ike_sa);
475 DBG2(DBG_MGR, "IKE_SA successfully checked out");
476 entry->checked_out = TRUE;
477 entry->message_id = message->get_message_id(message);
478 if (ike_id->get_responder_spi(ike_id) == 0)
479 {
480 ike_id->set_responder_spi(ike_id, id->get_responder_spi(id));
481 }
482 ike_sa = entry->ike_sa;
483 }
484 }
485 pthread_mutex_unlock(&this->mutex);
486 id->destroy(id);
487 charon->bus->set_sa(charon->bus, ike_sa);
488 return ike_sa;
489 }
490
491 /**
492 * Implementation of of ike_sa_manager.checkout_by_config.
493 */
494 static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
495 peer_cfg_t *peer_cfg)
496 {
497 enumerator_t *enumerator;
498 entry_t *entry;
499 ike_sa_t *ike_sa = NULL;
500 identification_t *my_id, *other_id;
501 host_t *my_host, *other_host;
502 ike_cfg_t *ike_cfg;
503
504 ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
505 my_id = peer_cfg->get_my_id(peer_cfg);
506 other_id = peer_cfg->get_other_id(peer_cfg);
507 my_host = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg), 0, 0);
508 other_host = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg), 0, 0);
509
510 pthread_mutex_lock(&(this->mutex));
511
512 if (my_host && other_host && this->reuse_ikesa)
513 {
514 enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
515 while (enumerator->enumerate(enumerator, &entry))
516 {
517 identification_t *found_my_id, *found_other_id;
518 host_t *found_my_host, *found_other_host;
519
520 if (!wait_for_entry(this, entry))
521 {
522 continue;
523 }
524
525 if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
526 {
527 /* skip IKE_SA which are not useable */
528 continue;
529 }
530
531 found_my_id = entry->ike_sa->get_my_id(entry->ike_sa);
532 found_other_id = entry->ike_sa->get_other_id(entry->ike_sa);
533 found_my_host = entry->ike_sa->get_my_host(entry->ike_sa);
534 found_other_host = entry->ike_sa->get_other_host(entry->ike_sa);
535
536 if (found_my_id->get_type(found_my_id) == ID_ANY &&
537 found_other_id->get_type(found_other_id) == ID_ANY)
538 {
539 /* IKE_SA has no IDs yet, so we can't use it */
540 continue;
541 }
542 DBG2(DBG_MGR, "candidate IKE_SA for \n\t"
543 "%H[%D]...%H[%D]\n\t%H[%D]...%H[%D]",
544 my_host, my_id, other_host, other_id,
545 found_my_host, found_my_id, found_other_host, found_other_id);
546 /* compare ID and hosts. Supplied ID may contain wildcards, and IP
547 * may be %any. */
548 if ((my_host->is_anyaddr(my_host) ||
549 my_host->ip_equals(my_host, found_my_host)) &&
550 (other_host->is_anyaddr(other_host) ||
551 other_host->ip_equals(other_host, found_other_host)) &&
552 found_my_id->matches(found_my_id, my_id) &&
553 found_other_id->matches(found_other_id, other_id) &&
554 streq(peer_cfg->get_name(peer_cfg),
555 entry->ike_sa->get_name(entry->ike_sa)))
556 {
557 /* looks good, we take this one */
558 DBG2(DBG_MGR, "found an existing IKE_SA for %H[%D]...%H[%D]",
559 my_host, my_id, other_host, other_id);
560 entry->checked_out = TRUE;
561 ike_sa = entry->ike_sa;
562 break;
563 }
564 }
565 enumerator->destroy(enumerator);
566 }
567 DESTROY_IF(my_host);
568 DESTROY_IF(other_host);
569
570 if (!ike_sa)
571 {
572 u_int64_t initiator_spi;
573 entry_t *new_entry;
574 ike_sa_id_t *new_ike_sa_id;
575
576 initiator_spi = get_next_spi(this);
577 new_ike_sa_id = ike_sa_id_create(0, 0, TRUE);
578 new_ike_sa_id->set_initiator_spi(new_ike_sa_id, initiator_spi);
579
580 /* create entry */
581 new_entry = entry_create(new_ike_sa_id);
582 DBG2(DBG_MGR, "created IKE_SA");
583 new_ike_sa_id->destroy(new_ike_sa_id);
584
585 this->ike_sa_list->insert_last(this->ike_sa_list, new_entry);
586
587 /* check ike_sa out */
588 DBG2(DBG_MGR, "new IKE_SA created for IDs [%D]...[%D]", my_id, other_id);
589 new_entry->checked_out = TRUE;
590 ike_sa = new_entry->ike_sa;
591 }
592 pthread_mutex_unlock(&(this->mutex));
593 charon->bus->set_sa(charon->bus, ike_sa);
594 return ike_sa;
595 }
596
597 /**
598 * Implementation of of ike_sa_manager.checkout_by_id.
599 */
600 static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
601 bool child)
602 {
603 enumerator_t *enumerator;
604 iterator_t *children;
605 entry_t *entry;
606 ike_sa_t *ike_sa = NULL;
607 child_sa_t *child_sa;
608
609 pthread_mutex_lock(&(this->mutex));
610
611 enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
612 while (enumerator->enumerate(enumerator, &entry))
613 {
614 if (wait_for_entry(this, entry))
615 {
616 /* look for a child with such a reqid ... */
617 if (child)
618 {
619 children = entry->ike_sa->create_child_sa_iterator(entry->ike_sa);
620 while (children->iterate(children, (void**)&child_sa))
621 {
622 if (child_sa->get_reqid(child_sa) == id)
623 {
624 ike_sa = entry->ike_sa;
625 break;
626 }
627 }
628 children->destroy(children);
629 }
630 else /* ... or for a IKE_SA with such a unique id */
631 {
632 if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
633 {
634 ike_sa = entry->ike_sa;
635 }
636 }
637 /* got one, return */
638 if (ike_sa)
639 {
640 entry->checked_out = TRUE;
641 break;
642 }
643 }
644 }
645 enumerator->destroy(enumerator);
646 pthread_mutex_unlock(&(this->mutex));
647
648 charon->bus->set_sa(charon->bus, ike_sa);
649 return ike_sa;
650 }
651
652 /**
653 * Implementation of of ike_sa_manager.checkout_by_name.
654 */
655 static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
656 bool child)
657 {
658 enumerator_t *enumerator;
659 iterator_t *children;
660 entry_t *entry;
661 ike_sa_t *ike_sa = NULL;
662 child_sa_t *child_sa;
663
664 pthread_mutex_lock(&(this->mutex));
665
666 enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
667 while (enumerator->enumerate(enumerator, &entry))
668 {
669 if (wait_for_entry(this, entry))
670 {
671 /* look for a child with such a policy name ... */
672 if (child)
673 {
674 children = entry->ike_sa->create_child_sa_iterator(entry->ike_sa);
675 while (children->iterate(children, (void**)&child_sa))
676 {
677 if (streq(child_sa->get_name(child_sa), name))
678 {
679 ike_sa = entry->ike_sa;
680 break;
681 }
682 }
683 children->destroy(children);
684 }
685 else /* ... or for a IKE_SA with such a connection name */
686 {
687 if (streq(entry->ike_sa->get_name(entry->ike_sa), name))
688 {
689 ike_sa = entry->ike_sa;
690 }
691 }
692 /* got one, return */
693 if (ike_sa)
694 {
695 entry->checked_out = TRUE;
696 break;
697 }
698 }
699 }
700 enumerator->destroy(enumerator);
701 pthread_mutex_unlock(&(this->mutex));
702
703 charon->bus->set_sa(charon->bus, ike_sa);
704 return ike_sa;
705 }
706
707 /**
708 * Implementation of ike_sa_manager_t.checkout_duplicate.
709 */
710 static ike_sa_t* checkout_duplicate(private_ike_sa_manager_t *this,
711 ike_sa_t *ike_sa)
712 {
713 enumerator_t *enumerator;
714 entry_t *entry;
715 ike_sa_t *duplicate = NULL;
716 identification_t *me, *other;
717
718 me = ike_sa->get_my_id(ike_sa);
719 other = ike_sa->get_other_id(ike_sa);
720
721 pthread_mutex_lock(&this->mutex);
722 enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
723 while (enumerator->enumerate(enumerator, &entry))
724 {
725 if (entry->ike_sa == ike_sa)
726 { /* self is not a duplicate */
727 continue;
728 }
729 if (wait_for_entry(this, entry))
730 {
731 if (me->equals(me, entry->ike_sa->get_my_id(entry->ike_sa)) &&
732 other->equals(other, entry->ike_sa->get_other_id(entry->ike_sa)))
733 {
734 duplicate = entry->ike_sa;
735 entry->checked_out = TRUE;
736 break;
737 }
738 }
739 }
740 enumerator->destroy(enumerator);
741 pthread_mutex_unlock(&this->mutex);
742 return duplicate;
743 }
744
745 /**
746 * enumerator cleanup function
747 */
748 static void enumerator_unlock(private_ike_sa_manager_t *this)
749 {
750 pthread_mutex_unlock(&this->mutex);
751 }
752
753 /**
754 * enumerator filter function
755 */
756 static bool enumerator_filter(private_ike_sa_manager_t *this,
757 entry_t **in, ike_sa_t **out)
758 {
759 if (wait_for_entry(this, *in))
760 {
761 *out = (*in)->ike_sa;
762 return TRUE;
763 }
764 return FALSE;
765 }
766
767 /**
768 * Implementation of ike_sa_manager_t.create_iterator.
769 */
770 static enumerator_t *create_enumerator(private_ike_sa_manager_t* this)
771 {
772 pthread_mutex_lock(&this->mutex);
773 return enumerator_create_filter(
774 this->ike_sa_list->create_enumerator(this->ike_sa_list),
775 (void*)enumerator_filter, this, (void*)enumerator_unlock);
776 }
777
778 /**
779 * Implementation of ike_sa_manager_t.checkin.
780 */
781 static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
782 {
783 /* to check the SA back in, we look for the pointer of the ike_sa
784 * in all entries.
785 * We can't search by SPI's since the MAY have changed (e.g. on reception
786 * of a IKE_SA_INIT response). Updating of the SPI MAY be necessary...
787 */
788 status_t retval;
789 entry_t *entry;
790 ike_sa_id_t *ike_sa_id;
791 host_t *other;
792
793 ike_sa_id = ike_sa->get_id(ike_sa);
794
795 DBG2(DBG_MGR, "checkin IKE_SA");
796
797 pthread_mutex_lock(&(this->mutex));
798
799 /* look for the entry */
800 if (get_entry_by_sa(this, ike_sa, &entry) == SUCCESS)
801 {
802 /* ike_sa_id must be updated */
803 entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
804 /* signal waiting threads */
805 entry->checked_out = FALSE;
806 entry->message_id = -1;
807 /* apply remote address for DoS detection */
808 other = ike_sa->get_other_host(ike_sa);
809 if (!entry->other || !other->equals(other, entry->other))
810 {
811 DESTROY_IF(entry->other);
812 entry->other = other->clone(other);
813 }
814 DBG2(DBG_MGR, "check-in of IKE_SA successful.");
815 pthread_cond_signal(&(entry->condvar));
816 retval = SUCCESS;
817 }
818 else
819 {
820 DBG2(DBG_MGR, "tried to check in nonexisting IKE_SA");
821 /* this SA is no more, this REALLY should not happen */
822 retval = NOT_FOUND;
823 }
824
825 DBG2(DBG_MGR, "%d IKE_SAs in manager now",
826 this->ike_sa_list->get_count(this->ike_sa_list));
827 pthread_mutex_unlock(&(this->mutex));
828
829 charon->bus->set_sa(charon->bus, NULL);
830 return retval;
831 }
832
833
834 /**
835 * Implementation of ike_sa_manager_t.checkin_and_destroy.
836 */
837 static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
838 {
839 /* deletion is a bit complex, we must garant that no thread is waiting for
840 * this SA.
841 * We take this SA from the list, and start signaling while threads
842 * are in the condvar.
843 */
844 entry_t *entry;
845 status_t retval;
846 ike_sa_id_t *ike_sa_id;
847
848 ike_sa_id = ike_sa->get_id(ike_sa);
849 DBG2(DBG_MGR, "checkin and destroy IKE_SA");
850 charon->bus->set_sa(charon->bus, NULL);
851
852 pthread_mutex_lock(&(this->mutex));
853
854 if (get_entry_by_sa(this, ike_sa, &entry) == SUCCESS)
855 {
856 /* drive out waiting threads, as we are in hurry */
857 entry->driveout_waiting_threads = TRUE;
858
859 delete_entry(this, entry);
860
861 DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
862 retval = SUCCESS;
863 }
864 else
865 {
866 DBG2(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
867 retval = NOT_FOUND;
868 }
869
870 pthread_mutex_unlock(&(this->mutex));
871 return retval;
872 }
873
874 /**
875 * Implementation of ike_sa_manager_t.get_half_open_count.
876 */
877 static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip)
878 {
879 enumerator_t *enumerator;
880 entry_t *entry;
881 int count = 0;
882
883 pthread_mutex_lock(&(this->mutex));
884 enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
885 while (enumerator->enumerate(enumerator, &entry))
886 {
887 /* we check if we have a responder CONNECTING IKE_SA without checkout */
888 if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
889 entry->ike_sa->get_state(entry->ike_sa) == IKE_CONNECTING)
890 {
891 /* if we have a host, count only matching IKE_SAs */
892 if (ip)
893 {
894 if (entry->other && ip->ip_equals(ip, entry->other))
895 {
896 count++;
897 }
898 }
899 else
900 {
901 count++;
902 }
903 }
904 }
905 enumerator->destroy(enumerator);
906
907 pthread_mutex_unlock(&(this->mutex));
908 return count;
909 }
910
911 /**
912 * Implementation of ike_sa_manager_t.flush.
913 */
914 static void flush(private_ike_sa_manager_t *this)
915 {
916 /* destroy all list entries */
917 enumerator_t *enumerator;
918 entry_t *entry;
919
920 pthread_mutex_lock(&(this->mutex));
921 DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
922 /* Step 1: drive out all waiting threads */
923 DBG2(DBG_MGR, "set driveout flags for all stored IKE_SA's");
924 enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
925 while (enumerator->enumerate(enumerator, &entry))
926 {
927 /* do not accept new threads, drive out waiting threads */
928 entry->driveout_new_threads = TRUE;
929 entry->driveout_waiting_threads = TRUE;
930 }
931 enumerator->destroy(enumerator);
932 DBG2(DBG_MGR, "wait for all threads to leave IKE_SA's");
933 /* Step 2: wait until all are gone */
934 enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
935 while (enumerator->enumerate(enumerator, &entry))
936 {
937 while (entry->waiting_threads)
938 {
939 /* wake up all */
940 pthread_cond_broadcast(&(entry->condvar));
941 /* go sleeping until they are gone */
942 pthread_cond_wait(&(entry->condvar), &(this->mutex));
943 }
944 }
945 enumerator->destroy(enumerator);
946 DBG2(DBG_MGR, "delete all IKE_SA's");
947 /* Step 3: initiate deletion of all IKE_SAs */
948 enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
949 while (enumerator->enumerate(enumerator, &entry))
950 {
951 entry->ike_sa->delete(entry->ike_sa);
952 }
953 enumerator->destroy(enumerator);
954
955 DBG2(DBG_MGR, "destroy all entries");
956 /* Step 4: destroy all entries */
957 while (this->ike_sa_list->remove_last(this->ike_sa_list,
958 (void**)&entry) == SUCCESS)
959 {
960 entry_destroy(entry);
961 }
962 pthread_mutex_unlock(&(this->mutex));
963 }
964
965 /**
966 * Implementation of ike_sa_manager_t.destroy.
967 */
968 static void destroy(private_ike_sa_manager_t *this)
969 {
970 this->ike_sa_list->destroy(this->ike_sa_list);
971 this->rng->destroy(this->rng);
972 this->hasher->destroy(this->hasher);
973
974 free(this);
975 }
976
977 /*
978 * Described in header.
979 */
980 ike_sa_manager_t *ike_sa_manager_create()
981 {
982 private_ike_sa_manager_t *this = malloc_thing(private_ike_sa_manager_t);
983
984 /* assign public functions */
985 this->public.flush = (void(*)(ike_sa_manager_t*))flush;
986 this->public.destroy = (void(*)(ike_sa_manager_t*))destroy;
987 this->public.checkout = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_id_t*))checkout;
988 this->public.checkout_new = (ike_sa_t*(*)(ike_sa_manager_t*,bool))checkout_new;
989 this->public.checkout_by_message = (ike_sa_t*(*)(ike_sa_manager_t*,message_t*))checkout_by_message;
990 this->public.checkout_by_config = (ike_sa_t*(*)(ike_sa_manager_t*,peer_cfg_t*))checkout_by_config;
991 this->public.checkout_by_id = (ike_sa_t*(*)(ike_sa_manager_t*,u_int32_t,bool))checkout_by_id;
992 this->public.checkout_by_name = (ike_sa_t*(*)(ike_sa_manager_t*,char*,bool))checkout_by_name;
993 this->public.checkout_duplicate = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_t *ike_sa))checkout_duplicate;
994 this->public.create_enumerator = (enumerator_t*(*)(ike_sa_manager_t*))create_enumerator;
995 this->public.checkin = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin;
996 this->public.checkin_and_destroy = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy;
997 this->public.get_half_open_count = (int(*)(ike_sa_manager_t*,host_t*))get_half_open_count;
998
999 /* initialize private variables */
1000 this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
1001 if (this->hasher == NULL)
1002 {
1003 DBG1(DBG_MGR, "manager initialization failed, no hasher supported");
1004 free(this);
1005 return NULL;
1006 }
1007 this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
1008 if (this->rng == NULL)
1009 {
1010 DBG1(DBG_MGR, "manager initialization failed, no RNG supported");
1011 this->hasher->destroy(this->hasher);
1012 free(this);
1013 return NULL;
1014 }
1015 this->ike_sa_list = linked_list_create();
1016 pthread_mutex_init(&this->mutex, NULL);
1017 this->reuse_ikesa = lib->settings->get_bool(lib->settings,
1018 "charon.reuse_ikesa", TRUE);
1019 return &this->public;
1020 }
1021
strongSwan - IPsec VPN